#33 Insecure passwords

[Lazy]

I noticed that you are only md5-hashing the passwords which is not enough in the year 2010. Another big problem is you can use only alphanumeric characters in your password.

Could you change the password functions to use at least some kind of salt?

Then make the password check to calculate password using sha1($salt.$_POST['password']) and maybe even iterate this few times to strengthen the password. Upgrading users to the next version could be handled by using the old md5 mechanism if the salt is empty and using the more secure version when salt is found.

users table could look something like this:
CREATE TABLE users (
id int auto_increment NOT NULL UNIQUE,
username varchar(255) NOT NULL,
salt varchar(255) NOT NULL,
password varchar(255) NOT NULL,
admin varchar(255) NOT NULL default 'no'
);

[Lazy]

I also noticed that you are storing plaintext password in the PHP session file. You should hash the password before saving it as a session variable.

If you are allowing alphanumeric passwords only because magic quotes might break them. Then please use this http://talks.php.net/show/php-best-practices/26

<?php
if (get_magic_quotes_gpc()) {
$in = array(&$_GET, &$_POST, &$_COOKIE);
while (list($k,$v) = each($in)) {
foreach ($v as $key => $val) {
if (!is_array($val)) {
$in[$k][$key] = stripslashes($val);
continue;
}
$in[] =& $in[$k][$key];
}
}
unset($in);
}
?>